The operators of the InterPlanetary Storm botnet have expanded their reach by releasing a new variant of the malware aimed at Mac and Android devices in addition to Windows and Linux machines, according to a new report from Barracuda researchers.
The malware is building a botnet, which now includes estimated 13, 500 devices in 84 countries across the globe with the majority of them located in Hong Kong, South Korea, and Taiwan. The infections were also spotted in Russia, Brazil, the U.S., Canada, Sweden and China.
“The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation. This allows infected nodes to communicate with each other directly or through other nodes (i.e. relays),” the researchers explain.
The new version of the malware compromises victim machines via a dictionary attack against SSH servers or by accessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines.
A Windows variant of InterPlanetary Storm was first uncovered and detailed by researchers at Anomali in May 2019. In June 2020, a Linux version of the malware was discovered, and in late August a new variant emerged capable of attacking IoT devices, such as TVs that run on Android operating systems, and Linux-based machines, such as routers with misconfigured SSH service.
“While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks,” Barracuda notes.
The new InterPlanetary Storm variant comes with unique features that help it to maintain persistence on infected machines, such as the ability to detect honeypots and to persist itself by installing a service (system/systemv), automatically update itself and kill other processes on the machine that pose a threat to the malware, like debuggers and competing malware by checking strings strings such as “rig,” “xig” and “debug”.
Once compromised, devices communicate with the command-and-control (C2) server to inform that they are part of the botnet. The IDs of each infected machine are generated during initial infection and will be reused if the machine restarts or the malware updates, the researchers said.
To defend against this threat the researchers recommend users to properly configure SSH access on all devices, use a cloud security posture management tool to monitor SSH access control to eliminate any configuration mistakes, and to deploy an MFA-enabled VPN connection and segment networks for the specific needs instead of granting access to broad IP networks.